Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However,.....

1. The First Step in Cyber Insurance: Know Your
Risk and What you’re Insuring Against.
Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs
due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any
security control it's important to understand your security risk profile before an appropriate security insurance policy can
be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy
strategy. Here's why:
You'll have to do one anyway. The most important factor in most enterprise cyber insurance rates is the state of your
current security controls and your revenue. So not only is a security risk analysis an essential part of any robust
information security program that you should be doing anyway, but this will be a factor in your rates and likely a
requirement before you secure a policy.
The safest approach is to avoid a breach in the first place. Most policies will require substantial out-of-pocket expenses to
be paid by the insured regardless of your coverage. No insurance can fully replace lost productivity and brand damage due
to a breach. A recent study released by Carnegie Mellon University (and others), “An Empirical Analysis of Data Breach
Litigation,”notes that “the odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-
attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by
31%.” Thus, insure against theft but still spend money on locks for your doors!
Your risk profile will enable a better tailored policy. Cyber insurance policy coverage is highly variable and configurable.
Policy buyers need to be aware of what is covered and that distinct coverage, limits, and deductibles may apply for
individual risk categories. In order to ensure that a policy is tailored for your individual risk profile it's important to
understand where your risk lies. Areas that can be insured typically include regulatory fines and penalties, claims and
lawsuits and response costs such as breach notification for affected customers, credit monitoring, forensic analysis, legal
fees, and public relations outreach.
Do you really know where your risk is? A key area of risk that a security risk analysis illuminates can be the extent that
Business Associates (BA) factor into your overall risk. Our experience is that BAs often pose more risk than might be
expected in terms of the amount of ePHI that they access and/or host because their security controls are not always on par
with that of the healthcare organization that provided the data despite the Business Associate Agreement that is in place.
This is particularly relevant when the BA is a cloud provider. A security risk analysis should clarify the extent of cloud-
based and BA risk so that this critical part of the policy can be defined appropriately.
Cyber insurance can prove to be an effective tool for mitigating the fiscal impact of an ePHI data breach. With proper
policy review and selection, guided by an informed view of your risk profile, it's more likely that such a policy can achieve
your objectives and be accurately scoped.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM